CVE-2024-5148: Gnome-remote-desktop: inadequate validation of session agents using d-bus methods may expose rdp tls certificate
First published: Mon May 20 2024(Updated: )
A flaw was found in the gnome-remote-desktop package. The gnome-remote-desktop system daemon performs inadequate validation of session agents using D-Bus methods related to transitioning a client connection from the login screen to the user session. As a result, the system RDP TLS certificate and key can be exposed to unauthorized users. This flaw allows a malicious user on the system to take control of the RDP client connection during the login screen-to-user session transition.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/gnome-remote-desktop | <46.2-1~ubuntu24.04.2 | 46.2-1~ubuntu24.04.2 |
| ubuntu/gnome-remote-desktop | <46.2 | 46.2 |
| debian/gnome-remote-desktop | 0.1.7-1 0.1.9-5 43.3-1 44.2-8 | |
| redhat/gnome-remote-desktop | <46.2 | 46.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2024-5148
- https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/commit/2551f90af03828d06f55169a4e95876a5d58bb8e
- https://ubuntu.com/security/notices/USN-6785-1
- https://nvd.nist.gov/vuln/detail/CVE-2024-5148
- https://launchpad.net/bugs/cve/CVE-2024-5148
- https://security-tracker.debian.org/tracker/CVE-2024-5148
- https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/merge_requests/263
- https://ubuntu.com/security/CVE-2024-5148
- https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/196
- https://access.redhat.com/security/cve/CVE-2024-5148
- https://bugzilla.redhat.com/show_bug.cgi?id=2282003
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2282226
Frequently Asked Questions
What is the severity of CVE-2024-5148?
CVE-2024-5148 has been rated as a medium severity vulnerability due to inadequate validation of session agents.
How do I fix CVE-2024-5148?
To fix CVE-2024-5148, upgrade the gnome-remote-desktop package to version 46.2 or later.
What systems are affected by CVE-2024-5148?
CVE-2024-5148 affects the gnome-remote-desktop package on Ubuntu, Debian, and Red Hat systems.
Who is responsible for managing the gnome-remote-desktop security updates related to CVE-2024-5148?
Security updates for gnome-remote-desktop related to CVE-2024-5148 are managed by the respective maintainers of Ubuntu, Debian, and Red Hat.
What consequences can arise from not addressing CVE-2024-5148?
Failing to address CVE-2024-5148 can lead to unauthorized access or exploitation of remote desktop sessions.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-5148
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/remedy
- agent/type
- agent/weakness
- agent/title
- collector/redhat-bugzilla
- source/Red Hat
- agent/references
- agent/softwarecombine
- agent/description
- agent/first-publish-date
- agent/severity
- agent/author
- agent/event
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/trending
- agent/source
- package-manager/ubuntu
- package-manager/debian
- package-manager/redhat